When Hackers and Law Enforcement Team Up We May Be the Losers

If you get hacked your privacy isn't the only thing that could be violated. Security Supersite Editor Larry Seltzer warns that the Feds will be happy to give the attacker a passif he rats you out.

The case of James "Whitey" Bulger should have been a lesson to the FBI, or perhaps to us all. Now high on the governments Ten Most Wanted list, Bulger used to be a secret buddy of the G, helping them to prosecute the Italian mafia while protecting his own ongoing criminal activities. The FBI allegedly tipped Whitey off to stings and cut deals to keep him out of big trouble.
Now the FBI is moving into the modern technology era and taking their information from anonymous Internet hackers. A recent Court of Appeals decision upheld the use of evidence obtained by a 3rd-party hacker who was encouraged, indirectly perhaps, by the FBI in a criminal case.
Heres the issue: An anonymous hacker, known in the decision only as Unknownuser, hacked into the computer of the appellant, obtained evidence of child pornography, and finked on the appellant to the FBI. The District Court convicted the appellant, locked him up and threw away the key.

But theres a twist in the case. This wasnt Unknownusers first such effort assisting the prosecution, and prior to this appellants case, the FBI was in contact with Unknownuser. They thanked him for the earlier help and assured himexplicitly and implicitlythat he was not the target of any actions by them. They did not advise him to end his illegal hacking activities.

For those of you who dont watch enough Law & Order, under the Fourth Amendment to the U.S. Constitution we are protected against unreasonable searches and seizures. Under the "exclusionary rule," evidence collected by the state in violation of this amendment is inadmissible in court. But a body of law exists that says that evidence collected by private individuals, legally or otherwise, may be admissible, assuming the individual was not acting as an agent of the government. See the above decision for far more detail on all this.
When faced with this evidence of FBI encouragement of Unknownuser, the District Court reversed its original decision and ruled that Unknownuser was an agent of the government and that the evidence was inadmissible. Then the Circuit Court reversed the decision, saying that the government knew nothing of Unknownusers specific actions in advance and was not actively involved in his private searches. But even the famously conservative Fourth Circuit Court called this a borderline case and said the FBI skated close to the edge.
I asked defense attorney Joshua Dratel about the legal issues.
"Unfortunately, the Fourth Circuit has adopted a technical and semantic interpretation of government participation," Dratel said. "The effect will be to encourage cyber-vigilantism, and promotein advancethe trading of information by criminals to excuse their own illegal conduct."
This case leaves me speechless at the possibilities for abuse by both the government and criminals. Never mind that it puts the FBI in the position of tacitly encouraging hacking and invasions of computer privacy. As Dratel said, it gives criminals reason to believe that their activities will be tolerated as long as they throw enough information the governments way.
And it could go further; I see nothing in the decision that would prevent Unknownuser from first attempting to blackmail the user he was attacking before passing the information on to the FBI, and no reason to believe that the FBI would care.
Even worse, as Dratel warns, "There also exists the problem of the integrity of the information seizeddid the vigilante plant the information there in the first place? We would not tolerate a policy that encouraged and rewarded burglars who happened to find incriminating evidence in the houses they broke into, and we should no more countenance it in cyberspace, where the accountability of the anonymous "Unknownuser" is diminished even further."
More specifically, with the Trojan horse program used by Unknownuser on the appellants computer (Subseven), Unknownuser could have planted all the evidence himself; if he were talented enough, there would be no way to tell the difference. Unknownuser appears, based on the text of the decision, to have acted as an anti-child pornography crusader. But motives, as Whitey Bulger will tell you if you could find him, dont have anything to do with the law here.
In a sense, theres nothing hacking-specific about this issue, still, like so much in the application of law to technology, an existing problem becomes worse. The ease with which a capable user may become and remain anonymous on the Internet means that the way is open for freelance individuals to go out hacking en-masse, searching for evidence of crime in the pursuit of justice or money or whatever. Silly me, I thought it was the job of the FBI to protect us from such people.
Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.